• User accidentally gains control of over 6,700 robot vacuums while tinkering with their own device to enable control with a PlayStation controller - security flaw reveals floor plans and live video feeds Did he just unintentionally raise his own robot army? • Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox. • You are now subscribed Your newsletter sign-up was successful A security flaw that exposed thousands of DJI Romo robot vacuums to unauthorized access has been unintentionally revealed after a tinkerer built an app to control their own device with a PlayStation controller. • According to The Verge, this problem allowed the app to retrieve accurate floor plans, access live camera and microphone feeds, and even let it remotely control the affected devices. • This was accidentally discovered by AI strategist Sammy Adoufal, who used Claude Code to reverse engineer the protocol used by the DJI Romo to communicate with its servers. • But instead of just letting him access his own device, it instead handed over the keys to around 6,700 robot vacuums located across the world.
Article Summaries:
- A security flaw in DJI’s Romo robot vacuum was accidentally uncovered when AI strategist Sammy Adoufal reverse‑engineered the device’s communication protocol to build a PlayStation‑controller app. The reverse engineering revealed that the private token he obtained for his own vacuum could be used to access the servers of roughly 6,700 Romos worldwide. The flaw allowed retrieval of accurate floor plans, live camera and microphone feeds, and remote control of the units. Adoufal reported the issue to DJI, which issued firmware updates that closed the vulnerability. However, he noted that data is stored in plain text and that some residual risks remain.
Sources: